Home > Technical > Speaking at VERIFY 2006

Speaking at VERIFY 2006

September 5th, 2006

I’ll be speaking at VERIFY 2006, which presents “real world testing solutions – presented by practitioners with edge of technology hands-on testing experience.”

I’m presenting: Hands-on with Free Web Security Testing Tools. Read on for my agenda.

The agenda should go something like this:

Anatomy of HTTP

  • Requests
  • Responses
  • Encodings, etc
  • Methods: GET/POST, etc.
  • Proxying (e.g. how it works)

Testing Methods

  • Spidering
  • Probing for likely defaults (eg. /admin/)
  • Bypassing client-side checks (e.g., JavaScript)

Anatomy of Weaknesses

  • JavaScript Injection
    • Why it’s bad
    • How to test for it
    • How to automate tests for it
  • SQL Injection
    • Why it’s bad
    • How to test for it
    • How to automate tests for it

Tools

  • Nikto
    • Spidering
    • Probing systems that require authentication, SSL, etc.
    • Sorting out false positives
    • Interpreting true positives
  • TamperData (Firefox Plugin)
  • Curl
    • GETting a page
    • GETting just the headers
    • POSTing a form automatically
    • Scripting
  • Perl’s Libwww
    • Making basic requests
    • Automating tests
  • OpenSSL s_client
    • Testing supported SSL algorithms

The Hacker Instinct

  • Spotting things that “smell” bad
  • Common mistakes that can be exploited
  • 5 tests that get you the most bang for your buck

Technical

Comments are closed.